Other than educational initiatives for schools, governments haven’t traditionally run large scale security awareness campaigns directly to the public. This has changed the United Kingdom with the introduction of the CyberStreetWise Campaign. CyberStreetWise is a cross-government campaign funded by the National Cyber Security Programme using the agency M&C Saatchi. The website features interactive security advice and educational videos for home users and small businesses.
The objective is to help reduce the susceptibility of home users and small businesses to online threats. The campaign is innovative not just because of the broad coalition of partners which have been brought together, but also because of the channels which are being used to deliver the content. To find out more about the campaign I caught up with Orna Joseph, Head of SOC Cyber Communications for the UK Office for Security and Counter Terrorism.
What were the origins of the campaign?
The UK government’s latest National Cyber Security Consumer Tracker found that the online exploiting of consumer and SME security was a growing cause of fraud. Qualitative analysis (National Fraud Segmentation) was done to improve our understanding of the issues. It was found that there were a number of key behaviours in audience segments that were increasing their susceptibility to attacks. Only 30% habitually used complex passwords to protect online accounts and 57% did not always check websites are secure before making a purchase. From this analysis, audiences were segmented into demographics to encapsulate the key differences. This meant that it was clear what positive behaviours needed to be increased, what negative behaviours needed to be decreased and who the likely ambassador groups were. Tuning of the messages not only used expert advice, but also used focus groups to make sure that the message was understood by target audiences in the way that it was intended.
What channels were used for message delivery?
They key delivery methods were online, radio and posters in public spaces. We decided not to use blanket TV advertisements for a number of reasons. Firstly, the risks were online so it was felt that the campaign should be as well. It’s important to focus on having a presence in the medium that you’re talking about. Secondly, the budget required for TV means that we couldn’t do it in a sustained manner. Without being able to sustain a campaign then there were limited chances for reinforcement. Without ongoing reinforcement there were limited chances to embed improved behaviours. The messages have also been spread by a broad range of thirty partners that have helped promote the site including Sophos, Facebook, and Financial Fraud Action UK.
How is success being measured?
Our audiences have been re-surveyed and so far we have found a four percent change in key behaviours. This doesn’t sound like a lot but this means approximately two million people in the UK have taken steps to improve their security since the campaign started.
As a security practitioner it’s fantastic to see a campaign with this level of rigour in the planning and execution. The level of analysis that has gone into defining the demographics and planning the campaign is astonishing. In particular the audience segmentation is fantastic. We really need to start doing this as standard for corporate campaigns.